[Dnssec-trigger] edns0 between local apps and Unbound

Mikaela Suomalainen mikaela at mikaela.info
Fri Jan 15 08:03:57 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

- From what I have understood Unbound has edns0 enabled by default and
only disables it if the upstream nameserver doesn't support it.

However I think it's disabled between local apps (this is probably
wrong way to say it, but I hope you understand) and Unbound, because
there is no "options edns0" in /etc/resolv.conf and user cannot enable
it manually as dnssec-trigger overwrites it and even does chattr -/+i
by itself.

I think it being disabled could break DNSSEC validation for some apps
that do it by themselves, e.g. ssh (when verifying SSHFP records on
DNSSEC-signed zone).

man resolv.conf says:

```
options
Options allows certain internal resolver variables to
be  modi‐ fied.  The syntax is

options option ...

where option is one of the following:

<snip>

edns0 (since glibc 2.6)
Sets RES_USE_EDNSO in _res.options.  This enables
support for the DNS extensions described in RFC 2671.
```

I originally reported this at Launchpad against the Ubuntu package
<https://pad.lv/1534107>, but I think this should be fixed upstream if
this is an issue (and I think it is).

PS. Sorry if I am wrong about this, but please let me know.

- -- 
Mikaela Suomalainen
https://mikaela.info/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Homepage: https://mikaela.info/
Comment: Fingerprint = 2910 4A46 C561 5BF9 78A0 83F2 0C20 7F07 B2F3 2B67

iQIcBAEBCgAGBQJWmKftAAoJEAwgfwey8ytnwGUP/0lIwXLJ8yqqfRvxqicdTC05
hdeLL3aHvmQsOG33yWOhtq2yw/nYfuuxfg5/BGtkDMm//Q6djwCKfJ+AMt/VoGBY
WmJSplcRjXAY3lCWYb6rxHm3a/XsRY33Q+K2BO/WamL6thJQBzIqeR4NwDmwGBX/
9ttulJnCYCoqJlnFVXKp8Q62HOpLrj1pajB5E0rqflEQ8T/J7H67dZx0GkDMxEEE
lh2lzBM22GKJxLAanFag94ZtYJZKFzcMrstu8nlF612ODVIVc+DgDAX5TnmbcaG7
YanKvkdaVc/OueDAu/yQYM5JaKq0f/PDFXkwo7tK6BrhqMWNekB76W0AlFxMV8dw
PkXLHTFgBPoMJuCSYbLsuNkof87Ju6FckeRbxXbPK35DXdxz2bDYsgb4QE4WdxDm
Xe4fdj0WxydZBE+NoQLxSzzMVHSlxF+iHtTdieowZzSSQzX+SNfJf34wA0KMEFla
kf8bfxpY/XpelPG2NY7W7XyVw6EUTlCtov3yLWtFBTnFdOA4SfuRsN8n9bo3bg7V
ngKICLAv/OApK9Se/xCS43UnOqBhGH69gynN+BZsJ5P03DvXyTAozVSb1h7L1TwC
IpUsmjgy/6s38a4D1PcEFaIwACSYrXkz0o3t6zIAUMItPSqabj+DP//AkIt903Z6
Yu86rSAHaviWAQj1746k
=oFM1
-----END PGP SIGNATURE-----


More information about the dnssec-trigger mailing list